Global Payments credit-card data breach: How big is the theft?

The Global Payments breach is the largest known credit-card theft from a business or financial institution in the past two years. Last year, data from some 3.4 million credit cards were grabbed.

Cybercriminals recently made off with up to 1.5 million credit-card numbers from Global Payments, a third-party processor of transactions for Visa and MasterCard. It’s the largest known credit-card theft from a business or financial institution in the past two years.

During that period, much larger cases of cyber data theft – involving more than just credit-card information – have occurred. For instance, the personal data of 24 million customers was stolen from online retailer Zappos in January. But to experts who watch cybertheft trends, the Global Payments theft indicates a return by hackers to targeting big organizations, not just small ones far from the law-enforcement limelight.

It also represents hackers avoiding direct attacks on banks and financial institutions that have beefed up their security.

"We've seen the number of reported thefts of data from financial institutions declining since 2005 – even as the number of hacks targeting businesses has steadily risen," says Karen Barney, program director at the Identity Theft Resource Center in San Diego, which issues annual reports tallying the attacks.

Data for 3.4 million credit cards were grabbed last year, down from 4.6 million in 2010, the ITRC reported. Information related to payment cards (that is, credit and debit cards) was involved in more breaches – 48 percent – than was any other data type, according to the 2012 Data Breach Investigations Report, another industry study by Verizon.

Among data theft worldwide last year, there were 855 incidents with 174 million compromised records, according to the Verizon study, which was conducted by Verizon's RISK Team and included data from Australian, Dutch, and Irish police as well as the US Secret Service. In the report last year, the number of compromised records came in at an all-time low – 4 million.

Most payment-card thefts, the Verizon study found, are from small businesses, with only about 5 percent last year from large organizations. More than three-quarters of the breaches involved losses of fewer than 10,000 records. Just seven breaches involved more than 1 million records each.

"The criminal community has effectively been deterred from engaging in high-profile activity," Verizon's 2011 study found. "Pulling off a huge heist might achieve fame and fortune, but it also attracts a lot of unwanted attention.”

The Global Payments cybertheft falls squarely in the Verizon report's "mega-breach" category. But it’s counter to the overall trend in which criminals targeting payment cards have largely shifted from big to small businesses to dodge law enforcement.

One notable mega-breach of a card processor occurred in 2008 against Heartland Payment Systems, which netted thieves data on more than 100 million cards. For that crime, hacker Albert Gonzalez was sentenced in 2010 to 20 years in prison.

It's not certain yet what methods were used to snatch credit-card numbers from Global Payments, although early reports indicated a possible link to a New York City street gang and possibly to parking garages in the city, according to Brian Krebs, the cybersecurity blogger who first broke the story last Friday.

"In an alert sent to card-issuing banks ... [Visa and MasterCard] said the window of vulnerability for the breached processor (at that time unnamed) was between Jan. 21, 2012 and Feb. 25, 2012," Mr. Krebs reported on his website. The data stolen included sufficient information for the thieves to counterfeit new cards, he said.

In a press release Sunday, Global Payments said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported.” It added, “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

Still, Visa announced Monday that it had dropped the card processor from its list of providers that meet its data security standards. Global Payments officials said they expected that move to be temporary.